Page MenuHomePhabricator

D7003.diff
No OneTemporary

D7003.diff

diff --git a/shared/protos/identity_client.proto b/shared/protos/identity_client.proto
new file mode 100644
--- /dev/null
+++ b/shared/protos/identity_client.proto
@@ -0,0 +1,222 @@
+syntax = "proto3";
+
+package identity.client;
+
+// RPCs from a client (iOS, Android, or web) to identity service
+service IdentityClientService {
+
+ // Account actions
+
+ // Called by user to register with the Identity Service (PAKE only)
+ // Due to limitations of grpc-web, the Opaque challenge+response
+ // needs to be split up over two unary requests
+ // Start/Finish is used here to align with opaque protocol
+ rpc RegisterPasswordUserStart(RegistrationStartRequest) returns (
+ RegistrationStartResponse) {}
+ rpc RegisterPasswordUserFinish(RegistrationFinishRequest) returns (
+ RegistrationFinishResponse) {}
+ // Called by user to update password and receive new access token
+ rpc UpdateUserPasswordStart(UpdateUserPasswordStartRequest) returns
+ (UpdateUserPasswordStartResponse) {}
+ rpc UpdateUserPasswordFinish(UpdateUserPasswordFinishRequest) returns
+ (UpdateUserPasswordFinishResponse) {}
+ // Called by user to register device and get an access token
+ rpc LoginPasswordUserStart(OpaqueLoginStartRequest) returns
+ (OpaqueLoginStartResponse) {}
+ rpc LoginPasswordUserFinish(OpaqueLoginFinishRequest) returns
+ (OpaqueLoginFinishResponse) {}
+ rpc LoginWalletUser(WalletLoginRequest) returns (WalletLoginResponse) {}
+ // Called by a user to delete their own account
+ rpc DeleteUser(DeleteUserRequest) returns (Empty) {}
+
+ // Sign-In with Ethereum actions
+
+ // Called by clients to get a nonce for a Sign-In with Ethereum message
+ rpc GenerateNonce(Empty) returns (GenerateNonceResponse) {}
+}
+
+// Helper types
+
+message Empty {}
+
+// Key information needed for starting a X3DH session
+message IdentityKeyInfo {
+ // JSON payload containing Olm Identity keys
+ // Sessions for users will contain both IdentityKeys and NotifKeys
+ // For keyservers, this will only contain IdentityKeys
+ string payload = 1;
+ // Payload signed with the signing ed25519 key
+ string payloadSignature = 2;
+ // Signed message used for SIWE (optional)
+ // This correlates a given wallet with the identity of a device
+ optional string socialProof = 3;
+}
+
+// Ephemeral information provided to create initial message
+// Prekeys are generally rotated periodically
+// One-time Prekeys are "consumed" after first use
+message PreKeyResponse {
+ // Rotating preKey, validated to be associatd with IdentityKeys
+ // through signature
+ string preKey = 4;
+ string preKeySignature = 5;
+ // One time key, removed from available list of one time keys after requested
+ // Client is also intended to remove OPKs after initial message
+ optional string onetimePrekey = 6;
+}
+
+// Information needed when establishing communication to someone else's device
+message RemoteDeviceInfo {
+ IdentityKeyInfo identityInfo = 1;
+ PreKeyResponse identityPrekeys = 2;
+ PreKeyResponse notifPrekeys = 3;
+}
+
+// Information needed when establishing communication to a keyserver
+message KeyserverSessionInfo {
+ IdentityKeyInfo identityInfo = 1;
+ PreKeyResponse identityPrekeys = 2;
+}
+
+// RegisterUser
+
+// Ephemeral information provided so others can create initial message
+// to this device
+//
+// Prekeys are generally rotated periodically
+// One-time Prekeys are "consumed" after first use, so many need to
+// be provide to avoid exhausting them.
+message PreKeyRegistrationUpload {
+ // Rotating preKey, validated to be associatd with IdentityKeys
+ // through signature
+ string preKey = 1;
+ string preKeySignature = 2;
+ // One time keys
+ // Removed from available list after requested by another client
+ repeated string onetimePrekeys = 3;
+}
+
+// Bundle of information needed for creating an initial message using X3DH
+message DeviceKeyUpload {
+ IdentityKeyInfo deviceKeyInfo = 1;
+ PreKeyRegistrationUpload identityUpload = 2;
+ PreKeyRegistrationUpload notifUpload = 3;
+}
+
+// Request for registering a new user
+message RegistrationStartRequest {
+ // Message sent to initiate PAKE registration (step 1)
+ bytes opaqueRegistrationRequest = 1;
+ string username = 2;
+ // Information needed to open a new channel to current user's device
+ DeviceKeyUpload deviceKeyUpload = 3;
+}
+
+// Messages sent from a client to Identity Service
+message RegistrationFinishRequest {
+ // Identifier to correlate RegisterStart session
+ string sessionID = 1;
+ // Final message in PAKE registration
+ bytes opaqueRegistrationUpload = 2;
+}
+
+// Messages sent from Identity Service to client
+message RegistrationStartResponse {
+ // Identifier used to correlate start request with finish request
+ string sessionID = 1;
+ // sent to the user upon reception of the PAKE registration attempt
+ // (step 2)
+ bytes opaqueRegistrationResponse = 2;
+}
+
+message RegistrationFinishResponse {
+ // After successful unpacking of user credentials, return token
+ string accessToken = 2;
+}
+
+// UpdateUserPassword
+
+// Request for updating a user, similar to registration but need a
+// access token to validate user before updating password
+message UpdateUserPasswordStartRequest {
+ // Message sent to initiate PAKE registration (step 1)
+ bytes opaqueRegistrationRequest = 1;
+ // Used to validate user, before attempting to update password
+ string accessToken = 3;
+}
+
+// Do a user registration, but overwrite the existing credentials
+// after validation of user
+message UpdateUserPasswordFinishRequest {
+ // Identifier used to correlate start and finish request
+ string sessionID = 1;
+ // Opaque client registration upload (step 3)
+ bytes opaqueRegistrationUpload = 2;
+}
+
+message UpdateUserPasswordStartResponse {
+ // Identifier used to correlate start request with finish request
+ string sessionID = 1;
+ bytes opaqueRegistrationResponse = 2;
+}
+
+message UpdateUserPasswordFinishResponse {
+ // After validating client reponse, mint a new token
+ string accessToken = 2;
+}
+
+// LoginUser
+
+message OpaqueLoginStartRequest {
+ string username = 1;
+ // Message sent to initiate PAKE login (step 1)
+ bytes opaqueLoginRequest = 2;
+ // Information specific to a user's device needed to open a new channel of
+ // communication with this user
+ DeviceKeyUpload deviceKeyUpload = 3;
+}
+
+message OpaqueLoginFinishRequest {
+ // Identifier used to correlate start request with finish request
+ string sessionID = 1;
+ // Message containing client's reponse to server challenge.
+ // Used to verify that client holds password secret (Step 3)
+ bytes opaqueLoginUpload = 2;
+}
+
+message OpaqueLoginStartResponse {
+ // Identifier used to correlate start request with finish request
+ string sessionID = 1;
+ // Opaque challenge sent from server to client attempting to login (Step 2)
+ bytes opaqueLoginResponse = 2;
+}
+
+message OpaqueLoginFinishResponse {
+ // Mint and return a new key upon successful login
+ string accessToken = 2;
+}
+
+message WalletLoginRequest {
+ // ed25519 key for the given user's device
+ string siweMessage = 1;
+ string siweSignature = 2;
+ // Information specific to a user's device needed to open a new channel of
+ // communication with this user
+ DeviceKeyUpload deviceKeyUpload = 3;
+}
+
+message WalletLoginResponse {
+ string accessToken = 1;
+}
+
+// DeleteUser
+
+message DeleteUserRequest {
+ string accessToken = 1;
+}
+
+// GenerateNonce
+
+message GenerateNonceResponse{
+ string nonce = 1;
+}

File Metadata

Mime Type
text/plain
Expires
Thu, Nov 28, 6:22 AM (21 h, 40 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2593050
Default Alt Text
D7003.diff (7 KB)

Event Timeline